PKI NSS Certificate CLI - dogtagpki/pki GitHub Wiki

Overview

The pki nss-cert commands can be used to manage certificates in an NSS database.

Finding Certificates in NSS Database

To find all certificates in NSS database:

$ pki nss-cert-find

Availability: Since PKI 11.1.

To find certificates with a specific subject DN or issuer DN, specify the following options:

$ pki nss-cert-find --subject <DN> --issuer <DN>

Availability: Since PKI 11.6.

Displaying Certificate Info

To display certificate info:

$ pki nss-cert-show caadmin
  Nickname: caadmin
  Serial Number: 0x844a78e9c0c7567b80da5343fb049110
  Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Aug 02 18:18:40 CDT 2023
  Not Valid After: Tue Jul 22 18:18:40 CDT 2025
  Trust Flags: u,u,u

To display certificate info in JSON format:

$ pki nss-cert-show caadmin --output-format json
{
  "nickname" : "caadmin",
  "serialNumber" : "0x844a78e9c0c7567b80da5343fb049110",
  "subjectDN" : "CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE",
  "issuerDN" : "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE",
  "notBefore" : 1691018320000,
  "notAfter" : 1753226320000,
  "trustFlags" : "u,u,u"
}

To display info of a certificate identified by its binary data:

$ pki nss-cert-show --cert-file caadmin.crt
  Nickname: caadmin
  Serial Number: 0x844a78e9c0c7567b80da5343fb049110
  Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Wed Aug 02 18:18:40 CDT 2023
  Not Valid After: Tue Jul 22 18:18:40 CDT 2025
  Trust Flags: u,u,u

Generating Certificate Request in NSS Database

See Generating Certificate Request with PKI NSS.

Issuing Certificate using NSS Database

See Issuing Certificate with PKI NSS.

Importing Certificate into NSS Database

To import a certificate into NSS database:

$ pki nss-cert-import [nickname] \
    --cert <filename> \
    --trust <attributes>

Availability: Since PKI 10.9.

Verifying Certificate in NSS Database

To verify a certificate in NSS database:

$ pki nss-cert-verify <nickname>

By default it will only verify whether the certificate is within the validity period.

To verify the certificate usage, specify --cert-usage <usage> option.

Exporting Certificate from NSS Database

To export a certificate from NSS database:

$ pki nss-cert-export <nickname>

Modifying Certificate in NSS Database

To change the trust flags of a certificate:

$ pki nss-cert-mod \
    --trust-flags <flags>
    <nickname>

Availability: Since PKI 11.9.

Removing Certificate from NSS Database

To remove a certificate from the internal token in NSS database:

$ pki nss-cert-del <nickname>

To remove a certificate from HSM, prepend the nickname with the token name: <token>:<nickname>. To remove the key of the certificate, specify a --remove-key option.

Availability: Since PKI 11.5.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️